2009/7/15 candlerb <b.cand...@pobox.com>: > > The login page gets inserted into the DOM, so I know the client must > be chasing the redirect and I must be getting either "success" or > "notmodified" in status. Looking at jQuery source, this comes from > xhr.status (in function httpSuccess) which gives "success" for 2xx or > 304, so any 3xx redirect code must have been followed and lost. > > I can check for xhr? at the server side, and if so, instead of > redirecting to the login page I can send back some sort of uncommon > HTTP error which can be detected, e.g. 410 Gone, or a custom HTTP > header. I'll have a play along those lines. >
The XMLHttpRequest object transparently follows 3xx redirect responses, so your idea of detecting the situation on the server is the way to go. As James has pointed out, the X-Requested_With header is your best bet. If you intend to send a client error code then you're probably best with 403 Forbidden [1]; then you can include an appropriate message for the user, with a link to the login page, as the body of the response (aka "the entity"): "If the request method was not HEAD and the server wishes to make public why the request has not been fulfilled, it SHOULD describe the reason for the refusal in the entity." It's slightly stretching the interpretation of "The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated" to use 403 in this case, but I think it can be justified, in that the application is being told not to attempt authorization, and can instead inform the user that _they_ will have to attempt authorization by logging back in to start a new session. You might also consider adding a query string parameter to the login link (e.g. the id of the expired session) that allows the application to be re-initialised to the state it was in at the time of the failed Ajax request once the user has established the new session, as this will make things a bit easier on the user. On the other hand, this may be unnecessary, overkill, or just too complex to be worth doing, depending on your application. Regards, Nick. -- Nick Fitzsimons http://www.nickfitz.co.uk/
